package io.camunda.zeebe.gateway.interceptors.impl;

import io.camunda.search.entities.UserEntity;
import io.camunda.search.query.SearchQueryBuilders;
import io.camunda.service.UserServices;
import io.camunda.zeebe.auth.JwtDecoder;
import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Metadata;
import io.grpc.MethodDescriptor;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:io/camunda/zeebe/gateway/interceptors/impl/AuthenticationInterceptor.class */
public class AuthenticationInterceptor implements ServerInterceptor {
    public static final Context.Key<Map<String, Object>> USER_CLAIMS = Context.key("io.camunda.zeebe:user_claim");
    public static final Context.Key<String> USERNAME = Context.key("io.camunda.zeebe:username");
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationInterceptor.class);
    private static final Metadata.Key<String> AUTH_KEY = Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
    private final UserServices userServices;
    private final PasswordEncoder passwordEncoder;

    public AuthenticationInterceptor(UserServices userServices, PasswordEncoder passwordEncoder) {
        this.userServices = userServices;
        this.passwordEncoder = passwordEncoder;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        MethodDescriptor<ReqT, RespT> methodDescriptor = serverCall.getMethodDescriptor();
        String str = (String) metadata.get(AUTH_KEY);
        if (str != null) {
            return isBasicAuth(str) ? handleBasicAuth(serverCall, metadata, serverCallHandler, methodDescriptor, str) : handleOidcAuth(serverCall, metadata, serverCallHandler, methodDescriptor, str);
        }
        LOGGER.debug("Denying call {} as no authentication information was provided", methodDescriptor.getFullMethodName());
        return deny(serverCall, Status.UNAUTHENTICATED.augmentDescription("Expected authentication information at header with key [%s], but found nothing".formatted(AUTH_KEY.name())));
    }

    private boolean isBasicAuth(String str) {
        return str.startsWith("Basic ");
    }

    private <ReqT, RespT> ServerCall.Listener<ReqT> handleBasicAuth(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler, MethodDescriptor<ReqT, RespT> methodDescriptor, String str) {
        try {
            String[] split = new String(Base64.getDecoder().decode(str.replaceFirst("Basic ", ""))).split(":", 2);
            String str2 = split[0];
            String str3 = split[1];
            Optional<UserEntity> loadUserByUsername = loadUserByUsername(str2);
            if (loadUserByUsername.isEmpty()) {
                LOGGER.debug("Denying call {} as the user {} does not exist", methodDescriptor.getFullMethodName(), str2);
                return deny(serverCall, Status.UNAUTHENTICATED.augmentDescription("Invalid credentials").withCause(new IllegalArgumentException("Invalid credentials")));
            }
            UserEntity userEntity = loadUserByUsername.get();
            if (isPasswordValid(str3, userEntity.password())) {
                return Contexts.interceptCall(Context.current().withValue(USERNAME, userEntity.username()), serverCall, metadata, serverCallHandler);
            }
            LOGGER.debug("Denying call {} as the password is not valid for user {}", methodDescriptor.getFullMethodName(), userEntity.username());
            return deny(serverCall, Status.UNAUTHENTICATED.augmentDescription("Invalid credentials").withCause(new IllegalArgumentException("Invalid credentials")));
        } catch (RuntimeException e) {
            LOGGER.debug("Denying call {} as the authentication info are not valid. Error message: {}", methodDescriptor.getFullMethodName(), e.getMessage());
            return deny(serverCall, Status.UNAUTHENTICATED.augmentDescription("Expected valid authentication info, see cause for details").withCause(e));
        }
    }

    private Optional<UserEntity> loadUserByUsername(String str) {
        return this.userServices.search(SearchQueryBuilders.userSearchQuery(builder -> {
            return builder.filter(builder -> {
                return builder.username(str);
            }).page(builder2 -> {
                return builder2.size(1);
            });
        })).items().stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst();
    }

    private boolean isPasswordValid(String str, String str2) {
        return this.passwordEncoder.matches(str, str2);
    }

    private <ReqT, RespT> ServerCall.Listener<ReqT> handleOidcAuth(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler, MethodDescriptor<ReqT, RespT> methodDescriptor, String str) {
        try {
            return Contexts.interceptCall(Context.current().withValue(USER_CLAIMS, new JwtDecoder(str.replaceFirst("^Bearer ", "")).decode().getClaims()), serverCall, metadata, serverCallHandler);
        } catch (RuntimeException e) {
            LOGGER.debug("Denying call {} as the token is not valid. Error message: {}", methodDescriptor.getFullMethodName(), e.getMessage());
            return deny(serverCall, Status.UNAUTHENTICATED.augmentDescription("Expected a valid token, see cause for details").withCause(e));
        }
    }

    private <ReqT> ServerCall.Listener<ReqT> deny(ServerCall<ReqT, ?> serverCall, Status status) {
        serverCall.close(status, new Metadata());
        return new ServerCall.Listener<ReqT>(this) { // from class: io.camunda.zeebe.gateway.interceptors.impl.AuthenticationInterceptor.1
        };
    }
}
